** Also affects: linux (Ubuntu Jammy)
Importance: Critical
Assignee: gerald.yang (gerald-yang-tw)
Status: In Progress
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Impish)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Impish)
Status: New => In Progress
** Changed in: linux (Ubuntu Focal)
Status: New => In Progress
** Changed in: linux (Ubuntu Bionic)
Status: New => In Progress
** Changed in: linux (Ubuntu Impish)
Importance: Undecided => Critical
** Changed in: linux (Ubuntu Focal)
Importance: Undecided => Critical
** Changed in: linux (Ubuntu Bionic)
Importance: Undecided => Critical
** Changed in: linux (Ubuntu Impish)
Assignee: (unassigned) => gerald.yang (gerald-yang-tw)
** Changed in: linux (Ubuntu Focal)
Assignee: (unassigned) => gerald.yang (gerald-yang-tw)
** Changed in: linux (Ubuntu Bionic)
Assignee: (unassigned) => gerald.yang (gerald-yang-tw)
** Tags added: sts
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1965723
Title:
audit: improve audit queue handling when "audit=1" on cmdline
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Bionic:
In Progress
Status in linux source package in Focal:
In Progress
Status in linux source package in Impish:
In Progress
Status in linux source package in Jammy:
In Progress
Bug description:
SRU Justification
[Impact]
When an admin enables audit at early boot via the "audit=1" kernel
command line the audit queue behavior is slightly different; the
audit subsystem goes to greater lengths to avoid dropping records,
which unfortunately can result in problems when the audit daemon is
forcibly stopped for an extended period of time.
[Fix]
upstream discussion:
https://lore.kernel.org/all/cahc9vhqgx070poxzk_pusawgzppdqvpezvfybse2dnryrbw...@mail.gmail.com/T/
upstream commit:
f26d04331360d42dbd6b58448bd98e4edbfbe1c5
[Test]
configurations:
auditctl -b 64
auditctl --backlog_wait_time 60000
auditctl -r 0
auditctl -w /root/aaa -p wrx
shell scripts:
#!/bin/bash
i=0
while [ $i -le 66 ]
do
touch /root/aaa
let i++
done
mandatory conditions:
add "audit=1" to the cmdline, and kill -19 pid_number(for /sbin/auditd).
As long as we keep the audit_hold_queue non-empty, flush the hold
queue will fall into an infinite loop.
This could also trigger soft lockup when it drops into a infinite loop, e.g.
kernel: [ 94.186433] watchdog: BUG: soft lockup - CPU#2 stuck for 11s!
[kauditd:34]
kernel: [ 94.187736] Modules linked in: xfs iptable_nat nf_conntrack_ipv4
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_
conntrack libcrc32c iptable_filter isofs xt_cgroup xt_tcpudp iptable_mangle
ip_tables x_tables sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel
pcbc aesni_intel aes_x86_64 pp
dev crypto_simd glue_helper joydev vmwgfx ttm cryptd vmw_balloon
drm_kms_helper intel_rapl_perf input_leds psmouse drm fb_sys_fops syscopyarea
vmxnet3 sysfillrect parport_pc parport m
ac_hid shpchp i2c_piix4 vmw_vsock_vmci_transport vsock sysimgblt vmw_vmci
serio_raw mptspi mptscsih mptbase scsi_transport_spi pata_acpi floppy autofs4
kernel: [ 94.187757] CPU: 2 PID: 34 Comm: kauditd Not tainted
4.15.0-171-generic #180~16.04.1-Ubuntu
kernel: [ 94.187757] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS
6.00 11/12/2020
kernel: [ 94.187800] skb_queue_head+0x47/0x50
kernel: [ 94.187803] kauditd_rehold_skb+0x18/0x20
kernel: [ 94.187805] kauditd_send_queue+0xcd/0x100
kernel: [ 94.187806] ? kauditd_retry_skb+0x20/0x20
kernel: [ 94.187808] ? kauditd_send_multicast_skb+0x80/0x80
kernel: [ 94.187809] kauditd_thread+0xa7/0x240
kernel: [ 94.187812] ? wait_woken+0x80/0x80
kernel: [ 94.187815] kthread+0x105/0x140
kernel: [ 94.187817] ? auditd_reset+0x90/0x90
kernel: [ 94.187818] ? kthread_bind+0x40/0x40
kernel: [ 94.187820] ret_from_fork+0x35/0x40
[Other Info]
SF: #00330803
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1965723/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
